Apps Passwords and Role Based Activation for WP Google Authenticator
I am really happy to announce that I pushed version 1.1.0 of WP Google Authenticator today. This version is the biggest update since the first release of the plugin. It adds support for two things that have been asked in the past: apps passwords and role based activation.
You might be using the WordPress mobile app on your iPhone or Android phone. So far you could actually use the WordPress app without problem. The plugin was using the user agent to determine if the connection was made from the WordPress app, and if it was, the one time password was skipped. This, obviously, brings the additional security this plugin adds down.
I'm happy to say that this is no longer the case. It is still possible to use desktop editing applications (or web services) to connect to WordPress, but it will require a manual intervention from you. It is not that difficult, and the good part is that the plugin is no longer limited to the official WordPress mobile app.
From now on, if you want to use a service or application that requires your credentials to log into WordPress, you have the ability to create an "app password". This is a password dedicated to one application that can bypass the one time password.
What's the difference with your own account password? First of all, the app password generated is strong. Most likely stronger that your current password. The second advantage is that you can revoke an app password at anytime. Don't need it anymore? Click a button and it's deleted. Think your app password has been compromised? One click and it's fixed without cutting the access of other apps.
Now that you have one (or more) app password(s) set, you can securely log in using your preferred app.
Also, in order to keep an eye on what's happening, every use of an app password is saved in an access log. If a connection look suspect, the log even highlight it and display a warning message inviting you to check what's happening and revoke the app password if there is a real risk.
The second major feature that's been added in version 1.1.0, and it's been requested by a few users, is role based forced activation of 2-steps authentication.
Until now, you could either force all users to use 2FA, or let them decide whether they want to use it or not. This has changed. You can now force users of a specific role to use 2FA. This can be especially useful if you have subscribers registered on your site. If the user doesn't have any privilege on your site then there is no need to enforce the security for them.
Here is what it looks like:
I think this is going to be a warmly welcome feature ;)
If you have any more feature suggestions, please go ahead and ask. I am more than happy to make this plugin better and better every-time I have a chance to work on it.